Multiple NATs using nftables maps: Difference between revisions

Revision as of 02:45, 20 April 2021

Thanks to nftables Maps, if you have a previous iptables NAT (destination NAT) ruleset like this:

% iptables -t nat -A PREROUTING -p tcp --dport 1000 -j DNAT --to-destination 1.1.1.1:1234
% iptables -t nat -A PREROUTING -p udp --dport 2000 -j DNAT --to-destination 2.2.2.2:2345
% iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 3.3.3.3:3456

It can be easily translated to nftables in a single line:

% nft add rule nat prerouting dnat to \
      tcp dport map { 1000 : 1.1.1.1, 2000 : 2.2.2.2, 3000 : 3.3.3.3} \
      : tcp dport map { 1000 : 1234, 2000 : 2345, 3000 : 3456 }

Likewise, in iptables NAT (source NAT):

% iptables -t nat -A POSTROUTING -s 192.168.1.1 -j SNAT --to-source 1.1.1.1
% iptables -t nat -A POSTROUTING -s 192.168.2.2 -j SNAT --to-source 2.2.2.2
% iptables -t nat -A POSTROUTING -s 192.168.3.3 -j SNAT --to-source 3.3.3.3

Translated to a nftables one-liner:

% nft add rule nat postrouting snat to \
      ip saddr map { 192.168.1.1 : 1.1.1.1, 192.168.2.2 : 2.2.2.2, 192.168.3.3 : 3.3.3.3 }

@@ Line 10: / Line 10: @@
 <source lang="bash">
-% nft add rule nat prerouting dnat \
+% nft add rule nat prerouting dnat to \
        tcp dport map { 1000 : 1.1.1.1, 2000 : 2.2.2.2, 3000 : 3.3.3.3} \
        : tcp dport map { 1000 : 1234, 2000 : 2345, 3000 : 3456 }
@@ Line 26: / Line 26: @@
 <source lang="bash">
-% nft add rule nat postrouting snat \
+% nft add rule nat postrouting snat to \
        ip saddr map { 192.168.1.1 : 1.1.1.1, 192.168.2.2 : 2.2.2.2, 192.168.3.3 : 3.3.3.3 }
 </source>

Multiple NATs using nftables maps: Difference between revisions

Revision as of 02:45, 20 April 2021

See also

Navigation menu

Multiple NATs using nftables maps: Difference between revisions

Revision as of 02:45, 20 April 2021

See also

Navigation menu

Search